diff options
| author | Guy Harris <guy@alum.mit.edu> | 1999-10-07 09:21:38 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 1999-10-07 09:21:38 +0000 |
| commit | c6e161e7dfffd713684e24162a9687090b7e2095 (patch) | |
| tree | 808a45d054f28eef54f3b046279c6e803211b23a | |
| parent | db5f4239dc774aa207bcb7bed3c0ffee48d97841 (diff) | |
| download | wireshark-c6e161e7dfffd713684e24162a9687090b7e2095.tar.gz wireshark-c6e161e7dfffd713684e24162a9687090b7e2095.tar.bz2 wireshark-c6e161e7dfffd713684e24162a9687090b7e2095.zip | |
A DNS or NBNS name may contain pointers to other names in the packet; if
the stuff referred to by those pointers goes past the end of the packet,
that's not a reason not to return the length of the DNS or NBNS name
itself - you can tag that name even though it's bad. Therefore,
"get_dns_name()" should return the length of the part of the name it's
looked at even if that name contains a pointer to stuff that goes past
the end of the packet.
This means you can't check its return value to see if it's negative, and
treat it as an error if it is; remove that stuff.
Add checks to make sure the type and class fields in an RR don't go past
the end of the packet.
svn path=/trunk/; revision=781
| -rw-r--r-- | packet-dns.c | 18 | ||||
| -rw-r--r-- | packet-nbns.c | 43 |
2 files changed, 22 insertions, 39 deletions
diff --git a/packet-dns.c b/packet-dns.c index 570e478046..961e74e2e8 100644 --- a/packet-dns.c +++ b/packet-dns.c @@ -1,7 +1,7 @@ /* packet-dns.c * Routines for DNS packet disassembly * - * $Id: packet-dns.c,v 1.23 1999/10/07 07:44:28 guy Exp $ + * $Id: packet-dns.c,v 1.24 1999/10/07 09:21:36 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@zing.org> @@ -368,7 +368,11 @@ error: overflow: /* We ran past the end of the captured data in the packet. */ strcpy(name, "<Name goes past end of captured data in packet>"); - return -1; + /* If "len" is negative, we haven't seen a pointer, and thus haven't + set the length, so set it. */ + if (len < 0) + len = dp - dptr; + return len; } @@ -384,15 +388,19 @@ get_dns_name_type_class(const u_char *pd, int offset, int dns_data_offset, int start_offset = offset; name_len = get_dns_name(pd, offset, dns_data_offset, name, sizeof(name)); - if (name_len < 0) { + offset += name_len; + + if (!BYTES_ARE_IN_FRAME(offset, 2)) { /* We ran past the end of the captured data in the packet. */ return -1; } - offset += name_len; - type = pntohs(&pd[offset]); offset += 2; + if (!BYTES_ARE_IN_FRAME(offset, 2)) { + /* We ran past the end of the captured data in the packet. */ + return -1; + } class = pntohs(&pd[offset]); offset += 2; diff --git a/packet-nbns.c b/packet-nbns.c index cb7898bcbc..164f1506f0 100644 --- a/packet-nbns.c +++ b/packet-nbns.c @@ -4,7 +4,7 @@ * Gilbert Ramirez <gram@verdict.uthscsa.edu> * Much stuff added by Guy Harris <guy@netapp.com> * - * $Id: packet-nbns.c,v 1.29 1999/10/07 07:44:29 guy Exp $ + * $Id: packet-nbns.c,v 1.30 1999/10/07 09:21:38 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@zing.org> @@ -159,13 +159,6 @@ get_nbns_name(const u_char *pd, int offset, int nbns_data_offset, name_len = get_dns_name(pd, offset, nbns_data_offset, name, sizeof(name)); - if (name_len < 0) { - /* We ran past the end of the captured data in the packet. */ - strcpy(name_ret, name); - if (name_type_ret != NULL) - *name_type_ret = -1; - return -1; - } /* OK, now undo the first-level encoding. */ pname = &name[0]; @@ -258,14 +251,19 @@ get_nbns_name_type_class(const u_char *pd, int offset, int nbns_data_offset, name_len = get_nbns_name(pd, offset, nbns_data_offset, name_ret, name_type_ret); - if (name_len < 0) { + offset += name_len; + + if (!BYTES_ARE_IN_FRAME(offset, 2)) { /* We ran past the end of the captured data in the packet. */ return -1; } - offset += name_len; - type = pntohs(&pd[offset]); offset += 2; + + if (!BYTES_ARE_IN_FRAME(offset, 2)) { + /* We ran past the end of the captured data in the packet. */ + return -1; + } class = pntohs(&pd[offset]); *type_ret = type; @@ -1271,11 +1269,6 @@ dissect_nbdgm(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) /* Source name */ len = get_nbns_name(pd, offset, offset, name, &name_type); - if (len < 0) { - /* We ran past the end of the captured data in the - packet. */ - return; - } if (tree) { add_name_and_type(nbdgm_tree, offset, len, @@ -1286,11 +1279,6 @@ dissect_nbdgm(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) /* Destination name */ len = get_nbns_name(pd, offset, offset, name, &name_type); - if (len < 0) { - /* We ran past the end of the captured data in the - packet. */ - return; - } if (tree) { add_name_and_type(nbdgm_tree, offset, len, @@ -1312,11 +1300,6 @@ dissect_nbdgm(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) header.msg_type == 0x15 || header.msg_type == 0x16) { /* Destination name */ len = get_nbns_name(pd, offset, offset, name, &name_type); - if (len < 0) { - /* We ran past the end of the captured data in the - packet. */ - return; - } if (tree) { add_name_and_type(nbdgm_tree, offset, len, @@ -1416,20 +1399,12 @@ dissect_nbss_packet(const u_char *pd, int offset, frame_data *fd, proto_tree *tr case SESSION_REQUEST: len = get_nbns_name(pd, offset, offset, name, &name_type); - if (len < 0) { - /* We ran past the end of the captured data in the packet. */ - break; - } if (tree) add_name_and_type(nbss_tree, offset, len, "Called name", name, name_type); offset += len; len = get_nbns_name(pd, offset, offset, name, &name_type); - if (len < 0) { - /* We ran past the end of the captured data in the packet. */ - break; - } if (tree) add_name_and_type(nbss_tree, offset, len, |